You’ve managed to get a meterpreter session on a box via a webshell (possibly a network firewall or something else with an interface on the internal network you’re trying to own). But you hate having to use meterpreter’s portfwd and route options. They’re just too painful.

The whole of this article requires ssh access to the initial pivot point. Don’t worry if you can’t see the ssh service from your attacking box, we can bypass that using portfwd.

Here is a rough idea of how this network is set up.

The first thing to do is upload your public key to the victim box on 192.168.1.18 via your meterpreter session(you have created one haven’t you??? ssh-keygen)

FYI copying your key like this will blat out the pre-existing authorised keys, this was just a quick way i could demo it. I’m also doing this as root user, however this is NOT needed.

So now we have a target on the backend network, in this case it’s 10.0.0.1.

Now you need to download the main part of this article….. sshuttle!
Sshuttle is a clever set of python scripts that allows you to route TCP and UDP traffic over a SSH session. You don’t need to use a root account on your SSH server and you also don’t need to manually set up each forwarded port like you would with metasploit.

So now you’ve got shuttle installed and working all you need to do is connect to your local port 127.0.0.1:2222 which will then route through the meterpreter session onto the backend network. I think sshuttle only works for TCP and UDP so no arp-scanning or ICMP sweeps, please let me know if you know otherwise.